Menu
I am trying to consume a RESTful service from url https://someurl.com. I have added the following properties in my code:
Security.setProperty("ssl.SocketFactory.provider", "com.ibm.jsse2.SSLSocketFactoryImpl");
Security.setProperty("ssl.ServerSocketFactory.provider", "com.ibm.jsse2.SSLServerSocketFactoryImpl");
Security.setProperty("javax.net.ssl.trustStore", "cacerts.jks");
Security.setProperty("javax.net.ssl.keyStore", "keystore.jks");
Security.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
Security.setProperty("javax.net.ssl.trustStoreType", "JKS");
The configuration changes that I have done so far are:
com.ibm.websphere.ssl.retrieveLeafCert to true
But I am getting the following exception:
java.security.cert.CertPathValidatorException: Certificate chaining error
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Walmart Root CA, O=Wal-Mart Stores Inc is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.o.a(o.java:22)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:423)
at com.ibm.jsse2.kb.a(kb.java:192)
at com.ibm.jsse2.kb.a(kb.java:176)
at com.ibm.jsse2.lb.a(lb.java:53)
at com.ibm.jsse2.lb.a(lb.java:464)
at com.ibm.jsse2.kb.s(kb.java:545)
at com.ibm.jsse2.kb.a(kb.java:530)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:79)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:437)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:142)
at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:686)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:98)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:13)
at com.ibm.net.ssl.www2.protocol.https.b.connect(b.java:6)
at com.dwl.tcrm.tester.RESTClient_2.main(RESTClient_2.java:76)
503
I'm assuming you have a web application, which is trying to access that restful service.
First, you should not set your stores via javax.net.ssl.* properties, but use SSL configurations provided in WebSphere. So comment all these setProperty() calls.
Second, you have to add your service server certificate to the trust store.
Login to web admin console:
Security > SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates
Retrieve from port button, and specify hostname, 443 port, and Alias.Retrieve singer information button.In some versions, the child certificate was imported (not the root), in that case, you will have to manually download the root certificate and intermediate (e.g. via browser, and import that one to the NodeDefaultTrustStore, but this time using Add button, not Retrieve..
159
This means your certificate is not added in cacerts. Try to execute this command as
keytool -list -v -keystore your_path_to_cacerts (Provide the list of cert in cacerts) check by matching the serial number of your certificate. If it is not there then please follow the steps given below
To export the Intermediate certificate: Internet Explorer -> Tools -> Internet Options -> Content -> Certificates -> To view the Certificate Path: Select Certificate -> View -> Certification Path -> To Export the Certificate: Select Certificate -> Export -> DER
encoded Binary Format -> Save ( From Firefox -> Tools -> Options -> Advanced -> Encryption -> View Certificates ) (Given here - http://www-01.ibm.com/support/docview.wss?uid=swg21592616) after this add this exported certificate with below command
keytool -import -trustcacerts -Keystore CACERTS(path) -alias alias -file cert path export in step 3
My issue was the same and I am able to resolve it by following these steps
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
